Hi Tim, Thanks for your reply and comments. The comments so far from the list has enlightened me a lot on this topic. And, I thank all for there comments!
The missing piece of info I guess I did not realize is that if I encrypt some drive or part of it like folders or some system volume that I had to have the decryption keys as part of it. I thought the keys was encrypted as well. And, the only time it could be decrypted is by me. So, If I wanted to modify and update the encrypted data I would then download it back to my machine and decrypt it and make whatever changes and upload it back to the server. While uploading and downloading the data it is already in encrypted form. And, my understanding was that new data that is saved/updated by users would be encrypted on the fly. Encrypted data that leaves the server would be decrypted BUT then with SSL only the user would see the requested data. This was my understanding of what tools like TrueCrypt does. So, I think I'm totally missing the point of the product. For questions/comments about what kind of data I need to protect is hard to answer as I don't have any specific data in mind. I'm more interested in understanding the technology - regardless of data. But, to try and answer that I would say any kind of typical web based application - but nothing specific. Joe On Sun, Apr 6, 2008 at 8:33 PM, Tim Lieberman <[EMAIL PROTECTED]> wrote: > Joe Leo wrote: > > > You've hit the right questions I am looking to understand. The answer is > > both. From what I understand about a tool like TrueCrypt I can encrypt say > > my webfolder (web site) and upload it to my hosting provider. And, what I am > > trying to understand is can the encrypted data remain encrypted and still > > serve content. Or, once I upload the encrypted data must I need to decrypt > > it to serve the content? I am not concern about data being encrypted out to > > the users browser. SSL takes care of that - right? So, if it is that I can > > encrypt and it remains encrypt while serving content then this is not a bad > > solution. And, of course one can take other measures like ssh to the server > > to actually keep access to it secure. > > > In 99% of cases, there's no real argument for storing data on the server > in an encrypted state. This is because if your host security is > compromised, the cracker will have your encryption keys as well as your > encryption data. > > Communicating with server (Administration, Uploading files, etc): > SSH/SFTP. > Data On The Server: Usually there is no good argument for encrypting it. > If you're going to be serving it to anyone, you'll need to decrypt it on > the way out, so they can read it. If the server can decrypt it, anyone who > compromises the server can decrypt it, so it's useless and a waste of > resources. > > Server Communicating with Clients: use SSL. > > > The exception case: You have a small group of users, to whom you want to > make available some very secret data. You don't want to do any processing > of the data on the server. You just want to upload an encrypted file, and > have them download it (still encrypted). This of course implies that you've > somehow securely distributed the decryption key to your users. This case > almost never happens. You'd be better off having your users generate GPG > key pairs, send you the public key. You encrypt for each user and send via > email or any other method. By leveraging public-key cryptography, you avoid > the need to securely communicate any keys. > > As others have implied, it would be a lot easier to answer your queries if > we knew more specifics about what kind of data (and what kind of operations > on that data) you're talking about. > > But in almost every case, encrypting things on the server just chews up > server resources while providing exactly zero protection. > > -Tim > > > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php >
_______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
